Date: Wed, 16 Jun 2004 01:32:58 +0100 From: Robert Downes <nullentropy@lineone.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Firewall rules Message-ID: <40CF953A.9030304@lineone.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGCEJHGCAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGCEJHGCAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
JJB wrote: >Fundamentally his keep-state rules work and yours don't. > I have used his script exactly, modifying only for the differences in my ISP's addresses. Everything works as before, and still the check-state rule is showing zero packets and zero bytes, even though keep-state rules have been triggered. Are you sure this is not just a quirk of IPFW? > The use of >the skipto rule to control what ip address goes into the dynamic >keep-state table, IE the lan ip or the natd public ip. The bottom >line is native ipfw with natd and stateful rules does not work >together at all, unless you do some gymnastics with skipto rule so >the dynamic keep-state table always has the private lan ip address >for matching against. > Yes, this is the mechanism I cannot find a clear explanation for. Can you recommend a link to a page that defines how IPFW stumbles on NAT and keep-state, because I've read and re-read the IPFW man page, and it does me no good whatsoever. > If you want the max in firewall protection you >need stateful rules to monitor the bi-directional exchange of >session packets conversation so forged packets can not be inserted. > > I agree. >My recommendation is to scrap your rule file and use the posted >archive example with changes for your network. Like the 2 lan nic >cards, lo0 interface, and the correct public facing nic card >interface for the via interface name. > I've done that. Much better ruleset, but I still cannot see how it is handling NAT + keep-state any differently. > Second problem is you are >allowing every thing out your firewall. This is very bad as it >allows out any trojons or spy-ware from windows boxs on your lan so >thet can report their harvested info to the person who planted them. >Take control of your firewall and only allow out the exact services >you know you are using. > No arguments there. I'm running ZoneAlarm on all Windows boxes, but it's still better to aim for traffic to be killed on sight by the router. -- Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40CF953A.9030304>